It is meet the press daily and i am chuck todd. Were following a number of developments right now about the pandemic, on capitol hill, and on the Supreme Court. And were also following news that the president is about tosh to issue a few pardons. We begin with what could be the biggest hack of the u. S. Government ever. The list of Government Agencies and private Companies Reportedly breached by what is suspected to be a russian state hack is astounding, alarming, and, sadly, its growing. The agency tasked with securing our countrys Cyber Infrastructure is calling the hack, quote, a grave risk to federal agencies, to state governments, and for some private sector companies. Were going to try to get a definition of what grave risk means in a moment. They are also bluntly warning that we do not know the full extent of what was compromised, nor how it was compromised. Let me repeat. Weve been attacked and we dont know how they did it, we dont know what they took, and we dont know if theyre still here. To borrow a rumsfeldian turn of phrase, we dont know what we dont know. But what we do know is really, really bad. The department of energy confirmed it was hacked. They oversee our nuclear arsenal. But the agency says that so far, Mission EssentialNational Security functions havent been impacted. Microsoft says that this attack is actually ongoing and that theyve identified 40 customers who have been compromised and more are expected to be figure g ing it out soon. Folks, we have to approach this folk by assuming that the russian government has gained control of all of the networks that it has penetrated, because that is what weve been told by former cybersecurity experts who have advised republican and democratic president s. And as i mentioned at the very top of this show, this has breached the infrastructure powering our government, our economy, and our National Security. So combatting this attack, whether youre in the Current Administration or about to serve in the next one, is going to be inordinately complicated. Considering the scope of what could have been hacked, russia could have already covered their tracks, given they were roaming undetected in this network for months, they think as far back as march. By the way, the response from the president , zero. Nothing. Not a tweet, not a statement, not a word. Which has some lawmakers mystified, considering the gravity of this specific russian threat. They had the capacity to show that our defense is extraordinarily inadequate. That our cyber warfare readiness is extraordinarily weak, that they think so little of our ability to fight back from a cyber standpoint, that they do this with impunity. So our National Security is extraordinarily vulnerable. And in this in this setting, not to have the white house aggressively speaking out and protesting and taking punitive action is really, really quite extraordinary. My north bay colleague Shannon Pettypiece has the latest from the white house where President Trump has remained quiet on the hack. Shannon, whats interesting here is that the president s National Security adviser has been on a trip and he cut it short because of this hack, so it was the only, i feel like, acknowledgement in the west wing that this was a serious issue, that Robert Obrien decided we had to return to the white house. But any explanation why we havent heard from the president on this . Reporter well, the most the white house has told us is that the president has been briefed on this. So, okay, good. I would certainly hope so, but, yes, thats the only official word were getting out of the white house. You mentioned, really, no remarks from the president about this at all. I mean, of course, its not that different, though, than how he has been failing to acknowledge, respond, address the other big crisis in this country right now, the coronavirus pandemic, as it burns across the country. You know, i think a lot of this has to do with the fact that there is a growing sense of home alone in the administration right now. And as we get to the final days, it feels so much like the first days, where you have people in an acting role or a temporary foal filling really major jobs. Of course, the head of cybersecurity, youve talked about chris krebs, who was fired by the president after the election. His job as being temporarily filled. But the secretary of defense is an acting position right now, because the president fired mark esper just a few weeks ago. And the president is meeting today with the current acting head of the department of defense. But even within the white house, a number of key positions, the head of communications, the communications director, she has left. That position is open. So its getting to the point where you have a skeletal staff managing all of these issues or a temporary staff, as not only, we deal with the pandemic, but of course, this new crisis that were dealing with. So, have they even has there been any briefing set up, sometimes, you know, shannon, theyll instead of doing a public briefing, they might do a Conference Call with reporters . It might be a senior battleground official. Has there even been anything like that on the house . I can tell you from our reporting, and what has been going on with myself and my colleagues and what our reporting indicates is, no, this is not an issue that the white house is trying to message through the media in any way, is trying to brief the media, bring them up on to some extent. Certainly not from the white house, maybe in other departments of the government, but theres so little activity going on. And i would say one thing, our reporting indicates that the president is focused on today is pardons and particularly, theres a lot of speculation of what theyll be, but pardons for those involved in the russia investigation, based on some reportings by my colleagues and other news outlets. So that appears to be the focus in the news out today. Shannon, thank you very much. Ill talk in just a moment to President Trumps former National Security adviser, john bolton. But first, i want to bring in a cybersecurity expert. Kirsten todd is the managing director of the Cyber Readiness Institute and the former executive director of the commission on enhancing National Cybersecurity during the Obama Administration. Kerst kerstin, thank you for coming on. The list of Government Entities that have been impacted here, im going to put it up on screen, you know, it looks like, at this point, maybe the list of Government Entities that havent been hacked might be a shorter list here. Microsoft describes this attack, kerstin, as ongoing. Ongoing. What does that mean and what do you fear that we dont know . Well, chuck, thanks very much for having me on. Good afternoon. This is certainly a frightening attack, for many reasons. What we know is that a Software Vulnerability was exploited and we should assume, as is often the case in any type of attack, the first lesson is that everything has been breached. And unfortunately, as we learn more, the breadth and depth of this attack, its certainly reasonable to expect that these networks are breached across Government Agencies, across industry. And the more concerning piece to this is that the adversary is probably in places that we havent detected yet, and thats probably what microsoft was alluding to. So we have to be fully aware. The department of Homeland Security put out an alert yesterday saying we should start using out of bands communications, which means by the industry by which government and industry have been communicating with each other needs to essentially stop and we need to identify alternative ways, because the adversary is across all networks. All right. Lets put that in laymans terms. Right now, the government Government Employees at all of these impacted agencies cant use email, cant use their governmentissued phones, cant use governmentissued laptops, cant work on Government Networks . Is that what youre saying . To be completely secure, its recognizing that if theres going to be any discussion about how to respond to this attack, it certainly shouldnt happen with the Communications Tools that have been used up to this point. So anything with any type of private confidential discussion around response to this remediation should be done through out of band communications. Which is a very serious statement. This is, do not underestimate the power and the impact of saying Something Like that at the government level. So theres supposedly been these networks in march and the assumption is they might have done backdoor things and things like that. How could they have gone this long in the United States without knowing that they were in our Network Since march . I mean, we found out when did this solar winds, this vendor, is it fire eye, i guess, is the first one that found out. Were talking about maybe around end of november. So they went undetected for eight months. How . Well, chuck, this is the question. How did they have this attack for so long, when adversaries on our networks for a long period of time, it just gives them more opportunity to do more malicious activity. And what it really demonstrates is that the tools that we have in government right now are insufficient and inadequate to address the threats of today. And what that means is that we have to be identifying, working more closely with the private sector, pulling in those best practices. Youre a veteran of washington, d. C. You know the procurement process is not a fast one, but speed and agility in how we respond to these attacks and in detection has to be critical. The other piece is what were doing before an event happens. Government and industry working together, preevent planning to hunt adversaries, to make sure we get them off the networks and to determine when they are on our networks. You know, in talking to you a little bit yesterday, talking to you now, talking to other experts, i feel like im hearing a similar story to what we heard after 9 11, when it was, well, we had the intelligence, some agencies knew some things, but they werent talking. In this cyber attack, is it do we not does the world of i. T. In the government not talk to each other . Does the cybersecurity folks, is there a whole of do we not just have this whole of government conversation, or do we have the same stovepipe issues, if you will, and siloing that hampered us before 9 11. Chuck, assiits a great ques, because when we talk about multiple agencies, intelligence, defense, civilian, we do have trouble coordinating across all of these efforts. And there was legislation that was passed on friday, that has gotten bipartisan support to bring a senior role into the white house to have oversight and coordination over this type over cyber activity. And i think thats certainly a step in the right direction. But we absolutely have to be coordinating more effectively, more efficiently, and recognizing the responsibility that were putting on agencies. Ill just say, right after 9 11, i was working on the legislation to create dhs, and so im aware of what scsas capabilities are. In may of this year, sca was responsible for pandemic response, securing our president ial election, and securing Government Agencies and working with the private sector on cybersecurity. Its a 2yearold agency with about 2,000 employees. So we clearly have a disconnect in how were running and managing all of this. Having said that, there are also great efforts on the part of nsa and Cyber Command. Its really about synthesizing and creating oversight and structure. Not to get not to drawn people in the alphabet soup of washington, but scsa, which is the agency that chris krebs was running, is it possible that pandemic and Election Security was such a priority that we didnt see what was happening on the cybersecurity side of things . Well, to your earlier question, this just didnt fall on scsa alone. Its a broader issue to step back and see how are we organized to prevent and protect these issues. And one of the key pieces to this is working more closer with the private sector. Taking some of their best practices, bringing them into government. And i would say, you know, the boring yet critical piece to National Security is supply chain security. We have to have better insight and transparency into the supply chains of how were protecting Government Agencies. And making sure that each of those components is secure. So, for the incoming Biden Administration, if all of our networks are compromised, how do we go about uncompromising them . Do you have to basically do we have to scrap, build new ones . Or can we root out this malware . Well, with any response, with any crisis, our first piece we look at remediation is Disaster Recovery, think about it like responding to a hurricane. So the Disaster Recovery in this is going to identify what happened, what went wrong. When i served as executive director of president obamas bipartisan commission, one of our recommendations was to have an Ntsb National Transportation safety boardlike structure after a cyber event to be able to see where are the where the vulnerabilities, where are the compromises, what can we save, and what do we need to rebuild. And certainly, that will be a priority for the Biden Administration. A second priority, though, absolutely, is that we have to look at consequences for these types of attacks. Were still struggling to identify how we respond as a nation, but more importantly, across nations, to these types of cyber events. And as long as they go without consequences, they will continue to happen. So i certainly expect that the Biden Administration will work with allies, likeminded Economic Partners to figure out, how do we respond to these types of events, so we can prevent them and manage them much more effectively. Well, you just did a wonderful segue to my next guest, a former National Security adviser, with whom i want to ask that very question when it comes to retaliation. Kirsten todd, a longtime cybersecurity expert in and out of government, thank you for coming on and sharing your expertise with us. Much preesappreciated. With me now is former National Security adviser, ambassador john bolton. So let me start the questioning this way, ambassador bolton. Whats the line between hack and attack, as far as the National Security of the United States is under this circumstance . Yeah, well, i think as most people have commented in the past few days, we obviously still dont know the full extent of the damage thats opinion done or the potential damage, but from what has been publicly reported, the closest analogy that i can draw here is this is like a proof of concept attack for the japanese on pearl harbor on december the 7th. Its like, they flew several hundred airplanes over pearl harbor, didnt actually attack anything, just take a look at the ships at their docking positions and then went back to their aircraft carriers. What else do you have to know at this point, to know that the russians can get in into all of these different systems. And if they can, so can others. So i think there are many, many tasks that have to be performed here. Me question about it. But i think the top priority has got to be, if we determine its the russians, thats where the infrastructure tends to point. What the retaliation is going to be. And i think it ought to be whatever we assess the costs we have incurred to be, plus, plus, plus. Thats how you reestablish the terms. Well, its interesting on deterrence, but this has been a debate, i know the Obama Administration had this debate, i believe you guys had this debate at times in the Trump Administration. What is an appropriate response on cyber . And one of the arguments ive heard that makes it very difficult is, we get hurt more on Cyber Attacks than other countries do, because were just more developed. So what would that look like on russia . Well, lets be clear. The russians, the chinese, the iranians, the North Koreans and others have focused on cyber, because it is an asymmetric attack against the United States. They cant match us in many other areas. So they have. Itted an area of real vulnerability and gone after it. So by the same token, it doesnt necessarily mean that our response has to be in cybersp e cyberspace. It could be in other areas, as well. And what im reminded of, watching the discussion over the past week, im reminded of the old adage, war is too important to be left to the generals. And i would say here, cybersecurity is too important to be left to the cybersecurity geeks. This is a question of the highest political order internationally. And this is not something that you let technical experts debate about. This is a real test of the United States i just want to say ag